LDAP with Liferay

Actually it's a lot of stuff you'll need to do I'd start with : Setting an LDAP server (except you're gonna need to connect to an existing one) Spend some time understanding the LDAP binding mechanism (there are different modes like anonymous binding, bind with admin and search etch) install some software to browse the LDAP directory think what kind of authentication routine are you going to have. Are you going to export users to LDAP ? are you going to import too ? Will the users be able to change their passwords from the protal ? If the LDAP auth fails, will they be authenticated with the portal's passwords Understand the meaning of the liferay's LDAP specific parameters. Some parameters are set fro portal-ext.properties, while some other are defined by Portal admin's console (Portal Settings/Authentication) You'll have to think how the Liferay's User and User Group attributes are going to match the LDAP's one Take into account the Liferay's bugs on LDAP. Many versions fix some bugs while introducing new ones Gradually configure Liferay to bind with LDAP. Check and test the LDAP server binding, the User and UserGroup scanning. Test misc scenarios (import user, create a new one from protal registration, auth with LDAP server down, etc) Generally, don't be hasty to jump into, take some time to study, because it will save you lots of time

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is lighter because in its initial version it did not include security features.

LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers and so on; company structure information (although frankly you can extend it and store anything in there).

LDAP gives you query methods to add, update and remove objects within a directory (and a bunch more, but those are the central ones).
What LDAP does not do is provide a database; a database provides LDAP access to itself, not the other way around. It is much more than signup.

The use model is similar like how people use library cards or phonebooks. When you have a task that requires “write/update once, read/query many times”, you might consider using LDAP. LDAP is designed to provide extremely fast read/query performance for a large scale of dataset. Typically you want to store only a small piece of information for each entry. The add/delete/update performance is relatively slower compared with read/query because the assumption is that you don’t do “update” that often.

Imagine you have a website that has a million registered users with thousands of page requests per second. Without LDAP, every time users click a page, even for static page viewing, you will probably need to interact with your database to validate the user ID and its digital signature for this login session. Obviously, the query to your database for user-validation will become your bottleneck. By using LDAP, you can easily offload the user validation and gain significant performance improvement. Essentially, in this example, LDAP is another optimization layer outside your database to enhance performance, not replacing any database functions.
LDAP is not just for user validation, any task that has the following properties might be a good use case for LDAP:
1) You need to locate ONE piece of data many times and you want it fast
2) You don’t care about the logic and relations between different data
3) You don’t update, add, or delete the data very often
4) The size of each data entry is small

5) You don’t mind having all these small pieces of data at a centralized place

How to Integrate LDAP with Liferay?

 

Software used:

OpenLDAP (Windows edition)
LDAP Browsers(Apache DS,Jxplorer, LDAPsoft admin tools, Softerra LDAP admin etc)


Software Link:

1. You can download openLDAP windows edition from the following location:

http://www.userbooster.de/en/download/openldap-for-windows.aspx

2. you can download browsers from the locations given below:
Softerra LDAP admin: http://www.ldapadministrator.com/download.htm

Installing openLDAP:

1. Follow the instructions and choose your host as “localhost” or an “IP address”
2. Choose the port and SSL-port as you may want to use or can let it by default to 389 and 636 respectively.
3. Select a database for directory you want to use: BDB or LDAP (we have used BDB i.e berkely’s DB)
4. NEXT -> choose a password for your root directory, by default it would be “secret”
5. NEXT-> install-> Finish.

Using an LDAP Browser:

As We have used “LDAPsoft LDAP admin”
1. Start the server using by clicking on the slapd.exe where OpenLDAP is installed
2. Install LDAPsoft LDAP admin
3. Open “LDAPsoft LDAP admin” and create new connection to LDAP.
4. Specify the connection name - it could be any friendly name you may want to use
5. Specify the Hostname as “localhost” or “IP Address” as set at the time of installing OpenLDAP
6. Specify the port you are using for LDAP
7. Specify the Base DN as “dc=maxcrc,dc=com” or you may choose to click on “Fetch Base DNs” button to automatically fetch the Base DNs
9. Got to NEXT and select “Simple Authentication” method. For this, you will be needed to provide Bind DN and Password which would be “cn=Manager, dc=maxcrc, dc=com” and “secret” respectively. The Bind DN can also be populated by clicking on the button, which is on the right hand side of the Bind DN text field.
12. NEXT->Finish.

Now you have a complete connection with openLDAP and you can create your own OUs and CNs.

Configure OpenLDAP with Liferay

Go to the Control Panel in Liferay 6 EE .

1. Control Panel ---> Settings
2. From the Right Side pannel Select the Configuration---> Authenticaion

After Clicking on the Authentication it will open different Options and Select LDAP on it.

Click on the Add from LDAP Servers

ServerName : Give any name

Default Values : Select open ldap

Fill all details as shown in image.

In Credentials : secret

After clicking on the Test LDAP Connection you will popup as shown in image.

USERS

Keep all the field as it is .

Just remove the text from the Group field at last before test ldap user button..

So, keep the Group field blank.

After clicking on the Test Ldap User button the popup will be displayed of the available users as shown in images below

In the Snapshot you will be able to see the users are displayed that we configured in OpenLDAP(Refer Last image in which it is shown the user that we configured in OpenLDAP Using Browser)

  Structure of LDAP with Apache DS